Accepting request 1186820 from security:SELinux

- Enable sap module - Add equivalency in file_contexts.subs_dist * /bin /usr/bin * /sbin /usr/bin * /usr/sbin /usr/bin - Update to version 20240710: * Change fc in rebootmgr module for /sbin -> /usr/bin * Change fc in rpm module for /sbin -> /usr/bin * Change fc in rsync module for /sbin -> /usr/bin * Change fc in wicked module for /sbin -> /usr/bin * Confine libvirt-dbus * Allow virtqemud the kill capability in user namespace * Allow rshim get options of the netlink class for KOBJECT_UEVENT family * Allow dhcpcd the kill capability * Allow systemd-networkd list /var/lib/systemd/network * Allow sysadm_t run systemd-nsresourced bpf programs * Update policy for systemd generators interactions * Allow create memory.pressure files with cgroup_memory_pressure_t * Add support for libvirt hooks * Allow certmonger read and write tpm devices * Allow all domains to connect to systemd-nsresourced over a unix socket * Allow systemd-machined read the vsock device * Update policy for systemd generators * Allow ptp4l_t request that the kernel load a kernel module * Allow sbd to trace processes in user namespace * Allow request-key execute scripts * Update policy for haproxyd * Update policy for systemd-nsresourced * Correct sbin-related file context entries * Allow login_userdomain execute systemd-tmpfiles in the caller domain * Allow virt_driver_domain read files labeled unconfined_t * Allow virt_driver_domain dbus chat with policykit * Allow virtqemud manage nfs files when virt_use_nfs boolean is on * Add rules for interactions between generators * Label memory.pressure files with cgroup_memory_pressure_t * Revert "Allow some systemd services write to cgroup files" * Update policy for systemd-nsresourced * Label /usr/bin/ntfsck with fsadm_exec_t * Allow systemd_fstab_generator_t read tmpfs files * Update policy for systemd-nsresourced * Alias /usr/sbin to /usr/bin and change all /usr/sbin paths to /usr/bin * Remove a few lines duplicated between {dkim,milter}.fc * Alias /bin → /usr/bin and remove redundant paths * Drop duplicate line for /usr/sbin/unix_chkpwd * Drop duplicate paths for /usr/sbin * Update systemd-generator policy * Remove permissive domain for bootupd_t * Remove permissive domain for coreos_installer_t * Remove permissive domain for afterburn_t * Add the sap module to modules.conf * Move unconfined_domain(sap_unconfined_t) to an optional block * Create the sap module * Allow systemd-coredumpd sys_admin and sys_resource capabilities * Allow systemd-coredump read nsfs files * Allow generators auto file transition only for plain files * Allow systemd-hwdb write to the kernel messages device * Escape "interface" as a file name in a virt filetrans pattern * Allow gnome-software work for login_userdomain * Allow systemd-machined manage runtime sockets * Revert "Allow systemd-machined manage runtime sockets" * Allow postfix_domain connect to postgresql over a unix socket * Dontaudit systemd-coredump sys_admin capability - Update container-selinux OBS-URL: https://build.opensuse.org/request/show/1186820 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=64
2024-07-14 06:48:58 +00:00 · 2024-07-14 06:48:58 +00:00 · 253642ffe5
commit 253642ffe5
parent e591737fbd 9dc19e60e0
8 changed files with 116 additions and 6 deletions
--- a/2
+++ b/2
@ -1,7 +1,7 @@
 <servicedata>
 <service name="tar_scm">
                <param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
-              <param name="changesrevision">174046c04175d806c0ea28d37f7b5ff8ac5afc8e</param></service><service name="tar_scm">
+              <param name="changesrevision">aa9c35290108fc65d5bf3d39813b1ce19e24ae4a</param></service><service name="tar_scm">
                <param name="url">https://github.com/containers/container-selinux.git</param>
              <param name="changesrevision">07b3034f6d9625ab84508a2f46515d8ff79b4204</param></service><service name="tar_scm">
                <param name="url">https://gitlab.suse.de/jsegitz/selinux-policy.git</param>
--- a/container.te
+++ b/container.te
@ -1,4 +1,4 @@
-policy_module(container, 2.230.0)
+policy_module(container, 2.232.1)

 gen_require(`
 	class passwd rootok;
@ -38,6 +38,13 @@ gen_tunable(sshd_launch_containers, false)
 ## </desc>
 gen_tunable(container_use_devices, false)

+## <desc>
+##  <p>
+##  Allow containers to use any xserver device volume mounted into container, mostly used for GPU acceleration
+##  </p>
+## </desc>
+gen_tunable(container_use_xserver_devices, false)
+
 ## <desc>
 ##  <p>
 ##  Allow containers to use any dri device volume mounted into container
@ -777,6 +784,8 @@ init_dbus_chat(spc_t)
 optional_policy(`
 	systemd_dbus_chat_machined(spc_t)
 	systemd_dbus_chat_logind(spc_t)
+	systemd_dbus_chat_timedated(spc_t)
+	systemd_dbus_chat_localed(spc_t)
 ')

 domain_transition_all(spc_t)
@ -1087,6 +1096,7 @@ allow container_net_domain self:rawip_socket create_stream_socket_perms;
 allow container_net_domain self:netlink_kobject_uevent_socket create_socket_perms;
 allow container_net_domain self:netlink_xfrm_socket create_netlink_socket_perms;

+allow container_domain spc_t:unix_stream_socket { read write };
 kernel_unlabeled_domtrans(container_runtime_domain, spc_t)
 kernel_unlabeled_entry_type(spc_t)
 allow container_runtime_domain unlabeled_t:key manage_key_perms;
@ -1394,6 +1404,11 @@ tunable_policy(`container_use_devices',`
 	allow container_domain device_node:blk_file {rw_blk_file_perms map};
 ')

+tunable_policy(`container_use_xserver_devices',`
+	dev_getattr_xserver_misc_dev(container_t)
+	dev_rw_xserver_misc(container_t)
+')
+
 tunable_policy(`container_use_dri_devices',`
 	dev_rw_dri(container_domain)
 ')
@ -1432,6 +1447,23 @@ allow container_engine_t filesystem_type:{dir file} mounton;
 allow container_engine_t proc_kcore_t:file mounton;
 allow container_engine_t proc_t:filesystem remount;
 allow container_engine_t sysctl_t:{dir file} mounton;
+allow container_engine_t fusefs_t:dir { relabelfrom relabelto };
+allow container_engine_t fusefs_t:file relabelto;
+allow container_engine_t kernel_t:system module_request;
+allow container_engine_t null_device_t:chr_file mounton;
+allow container_engine_t random_device_t:chr_file mounton;
+allow container_engine_t self:netlink_tcpdiag_socket nlmsg_read;
+allow container_engine_t urandom_device_t:chr_file mounton;
+allow container_engine_t zero_device_t:chr_file mounton;
+
+manage_chr_files_pattern(container_engine_t, fusefs_t, fusefs_t)
+
+optional_policy(`
+	gen_require(`
+		type devtty_t;
+	')
+	allow container_engine_t devtty_t:chr_file mounton;
+')

 type kubelet_t, container_runtime_domain;
 domain_type(kubelet_t)
@ -1444,6 +1476,7 @@ optional_policy(`
 	unconfined_domain(kubelet_t)
 ')

+manage_chr_files_pattern(container_engine_t, fusefs_t, fusefs_t)

 type kubelet_exec_t;
 application_executable_file(kubelet_exec_t)
--- a/file_contexts.subs_dist
+++ b/file_contexts.subs_dist
@ -17,3 +17,6 @@
 /var/adm/netconfig/md5/etc /etc
 /var/adm/netconfig/md5/var /var
 /usr/etc /etc
+/bin /usr/bin
+/sbin /usr/bin
+/usr/sbin /usr/bin
--- a/modules-targeted-contrib.conf
+++ b/modules-targeted-contrib.conf
@ -2775,3 +2775,10 @@ libalternatives = module
 ## kiw
 ##
 kiwi = module
+
+# Layer: contrib
+# Module: sap
+#
+# sap
+#
+sap = module
--- a/selinux-policy-20240702.tar.xz
+++ b/selinux-policy-20240702.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:bb5f624faac88d42e90be711332ebb9d3afa927a10203a349b09662d8dd7b9fd
-size 770784
--- a/selinux-policy-20240710.tar.xz
+++ b/selinux-policy-20240710.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:086d591ee29414674073d35d83804327b91c2349b30c45ef1ccd1ddc14c0b8d3
+size 770292
--- a/selinux-policy.changes
+++ b/selinux-policy.changes
@ -1,3 +1,70 @@
+-------------------------------------------------------------------
+Wed Jul 10 07:45:13 UTC 2024 - cathy.hu@suse.com
+
+- Enable sap module
+- Add equivalency in file_contexts.subs_dist
+  * /bin /usr/bin
+  * /sbin /usr/bin
+  * /usr/sbin /usr/bin
+- Update to version 20240710:
+  * Change fc in rebootmgr module for /sbin -> /usr/bin
+  * Change fc in rpm module for /sbin -> /usr/bin
+  * Change fc in rsync module for /sbin -> /usr/bin
+  * Change fc in wicked module for /sbin -> /usr/bin
+  * Confine libvirt-dbus
+  * Allow virtqemud the kill capability in user namespace
+  * Allow rshim get options of the netlink class for KOBJECT_UEVENT family
+  * Allow dhcpcd the kill capability
+  * Allow systemd-networkd list /var/lib/systemd/network
+  * Allow sysadm_t run systemd-nsresourced bpf programs
+  * Update policy for systemd generators interactions
+  * Allow create memory.pressure files with cgroup_memory_pressure_t
+  * Add support for libvirt hooks
+  * Allow certmonger read and write tpm devices
+  * Allow all domains to connect to systemd-nsresourced over a unix socket
+  * Allow systemd-machined read the vsock device
+  * Update policy for systemd generators
+  * Allow ptp4l_t request that the kernel load a kernel module
+  * Allow sbd to trace processes in user namespace
+  * Allow request-key execute scripts
+  * Update policy for haproxyd
+  * Update policy for systemd-nsresourced
+  * Correct sbin-related file context entries
+  * Allow login_userdomain execute systemd-tmpfiles in the caller domain
+  * Allow virt_driver_domain read files labeled unconfined_t
+  * Allow virt_driver_domain dbus chat with policykit
+  * Allow virtqemud manage nfs files when virt_use_nfs boolean is on
+  * Add rules for interactions between generators
+  * Label memory.pressure files with cgroup_memory_pressure_t
+  * Revert "Allow some systemd services write to cgroup files"
+  * Update policy for systemd-nsresourced
+  * Label /usr/bin/ntfsck with fsadm_exec_t
+  * Allow systemd_fstab_generator_t read tmpfs files
+  * Update policy for systemd-nsresourced
+  * Alias /usr/sbin to /usr/bin and change all /usr/sbin paths to /usr/bin
+  * Remove a few lines duplicated between {dkim,milter}.fc
+  * Alias /bin → /usr/bin and remove redundant paths
+  * Drop duplicate line for /usr/sbin/unix_chkpwd
+  * Drop duplicate paths for /usr/sbin
+  * Update systemd-generator policy
+  * Remove permissive domain for bootupd_t
+  * Remove permissive domain for coreos_installer_t
+  * Remove permissive domain for afterburn_t
+  * Add the sap module to modules.conf
+  * Move unconfined_domain(sap_unconfined_t) to an optional block
+  * Create the sap module
+  * Allow systemd-coredumpd sys_admin and sys_resource capabilities
+  * Allow systemd-coredump read nsfs files
+  * Allow generators auto file transition only for plain files
+  * Allow systemd-hwdb write to the kernel messages device
+  * Escape "interface" as a file name in a virt filetrans pattern
+  * Allow gnome-software work for login_userdomain
+  * Allow systemd-machined manage runtime sockets
+  * Revert "Allow systemd-machined manage runtime sockets"
+  * Allow postfix_domain connect to postgresql over a unix socket
+  * Dontaudit systemd-coredump sys_admin capability
+- Update container-selinux
+
 -------------------------------------------------------------------
 Tue Jul 02 10:03:44 UTC 2024 - cathy.hu@suse.com

--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -33,7 +33,7 @@ Summary:        SELinux policy configuration
 License:        GPL-2.0-or-later
 Group:          System/Management
 Name:           selinux-policy
-Version:        20240702
+Version:        20240710
 Release:        0
 Source0:        %{name}-%{version}.tar.xz
 Source1:        container.fc